Since 2015 ransomware has presented cybercriminals with the easiest and most effective method to take money from unsuspecting users and organisations. Before this, other cyber threats have had their moment in the sun: worms, phishing, fake antivirus, and banking trojans are just a few examples. But as fashions and seasons change so do the tactics of criminals.

New threat intelligence gathered and analysed by Recorded Future’s elite Insikt Group researchers has yielded some significant new insights into the latest method to target weakened systems.

>See also: The ransomware business model

This investigation uses information from a wide range of sources and has identified malicious cryptocurrency mining as a long-term, low-velocity revenue source for these threat actors. This analysis also uncovers the opportunity that mining malware presents to rogue nation states like North Korea and explores how they may already be employing this technique.

Recent cybercrime history

Fraudulent bank transfers remain, by some distance, the most profitable method for cybercriminals. However, these operations are more complex to execute, requiring threat actors to work with developers of web-injects and automatic money-transferring malware. To get to the stolen and laundered funds then relies on potentially dishonest intermediaries. All of this means operational outcomes for banking malware are, to say the least, uncertain.

Against this landscape, ransomware presented a much more straightforward and less risky method. Fueled by the growing adoption of bitcoins, a truly global and entirely untraceable payment method, chances of a successful outcome became very binary. Either infected victims will pay or they won’t, but if they do, all the money goes straight into the attackers wallet. As new vulnerabilities continued to be uncovered, ransomware became a fixture of the already-established exploit kit distribution network.

>See also: Held hostage: the rise of ransomware

In recent years the sophistication and damaging effects of ransomware have evolved to an unstoppable, global epidemic, capable of crippling the economy and costing hundreds of millions of dollars in losses to public and private organisations.

In the wake of the unprecedented WannaCry and NotPetya campaigns attackers saw growing media attention and increased “heat” from law enforcement. This led more acutely aware threat actors to begin searching for the new “big idea” which could generate a steady income stream without all of the inherent risk.

Crypto-mining malware

Mining malware hides itself while using the victim’s processing power to mine crypto-currencies. The first samples of this began appearing in 2013, but threat intelligence from our analysis revealed it was in the second half of 2017 that it gained popularity among members of the criminal underground. By then, dozens of vendors were offering various types of mining malware, ranging in price and functionality.

The profitability levels of mining malware are directly related to how long it remains undetected, leading threat actors to employ crafty techniques to hide this activity from users. It will typically be hidden from the Task Manager and immediately relaunched if deleted. Variants that depend on graphics processors will even terminate the mining process if a video game is run on the computer to avoid detection.

>See also: Downtime is key cost of ransomware attacks 

Analysis of bitcoin wallets and conversations in criminal communities confirms the increasing prevalence of this kind of malware. In one instance a hacker expressed extreme satisfaction with the results of a trial infection:

“I’ve used ‘bots’ already under my control to upload 110 miners before going to sleep. By the time I woke up 108 were still alive, which took me by surprise. I expected a half would be dead by then.”

In attempts to stand out among the competition and answer the demand from customers, developers began expanding their products, in some cases adding various key-logging and data intercepting functionality.

Nation-state participation: North Korea

While the research did not identify any North Korea-specific cryptocurrency mining malware, given North Korea’s demonstrated interest in both legally and illegally procuring cryptocurrencies, it is likely that the regime will employ mining malware in the near future if is has not already.

North Korean threat actors have prior experience in assembling and managing botnets, bitcoin mining, and cryptocurrency theft, as well as in custom-altering publicly available malware; three elements that would be key to effectively creating and managing a network of covert cryptocurrency miners.

>See also: New ransomware advertised on Russian-language forum

Technical analysis of mining malware

The research obtained a feature-rich mining malware called “1ms0rry MINERPANEL,” which is sold across the criminal underground. The product comes in several packages ranging in price from $35 to $850. While the “ Premium” version offers barebone functionality, without access to command and control (C2) panel, the most comprehensive and expensive “Source” version includes the source code for the malware.

The evaluation carried out was of the “Extended” version sold for $100 and offering a range of features including the C2 panel. In addition to all of the required installation files, a software that joins multiple files together into one payload and a step-by-step guide for building and deploying the miner was provided.

The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate